New Denial of Service Attack on Panix

Hi Vadim!

You are absolutely correct in your 'red flag' that source route
filtering does not solve 'all the worlds ip-spoofing security
problems', and a great deal of work needs to be done.

On the other hand, if all end-user providers at least filter to
help guarantee that only valid customer source addresses come from
their sphere of influence, these type of denial-of-service
attacks would be easier to trace, track, and plug, when

You know how these types of issues are mitigated; one-step-at-a-time.
The source route filtering from end-user providers needs to happen,
just as ISPs used to demand new providers BGP 'in the old days'.

It is not too difficult for higher tier providers to 'sniff and
audit' to discover the 'non-compliant' providers, or to set
up a mechanism to verify this automatically.

One step at a time. Certainly, it is in the best interest of
the performance of the Big I to have the filter lists as far
down the routing tier as possible and to keep the higher
level transit nets as 'filter clean as possible' (filtering

This sounds like a gloomly and extremely difficult task;
and the reality is, that there is no 100 percent solution,
but maybe .95 is achieveable in the short term? .98?

Large transit carriers must 'say no' to mid-level providers
that refuse to aggressively insure that filtering their
customers take place, and this, in itself, is a very difficult
to enforce task.

Best Regards,



Vadim! ......... The East coast is not the same
without seeing you in the bookstores and computer stores
from time to time.